Great Circle Associates Firewalls
(September 1992)
 

Indexed By Date: [Previous] [Next] Indexed By Thread: [Previous] [Next]

Subject: paper (in progress) - general overview of firewalls -
From: mjr @ decuac . DEC . COM (Marcus J. "Buddy can you spare a clue?" Ranum)
Date: Wed, 23 Sep 92 22:30:48 -0400
To: firewalls @ GreatCircle . COM

	This is a paper I'm in the process of beating into shape to present.
I'll take the chance of getting minor burns by posting it here for critique.
The paper is intended to be a general overview of some of the kinds of
things people might be trying to do with firewalls, and the types of
approaches and risks. It's a convoluted topic - possibly I've bitten off more
than I can chew. All criticisms gratefully accepted.

mjr.
--cut here--
%!PS-Adobe-3.0
%%BoundingBox: 18 9 593 784
%%DocumentNeededResources: (atend)
%%DocumentSuppliedResources: (atend)
%%Pages: (atend)
%%BeginResource: procset Win35Dict 3 1
/Win35Dict 290 dict def Win35Dict begin/bd{bind def}bind def/in{72
mul}bd/ed{exch def}bd/ld{load def}bd/tr/translate ld/gs/gsave ld/gr
/grestore ld/M/moveto ld/L/lineto ld/rmt/rmoveto ld/rlt/rlineto ld
/rct/rcurveto ld/st/stroke ld/n/newpath ld/sm/setmatrix ld/cm/currentmatrix
ld/cp/closepath ld/ARC/arcn ld/TR{65536 div}bd/lj/setlinejoin ld/lc
/setlinecap ld/ml/setmiterlimit ld/sl/setlinewidth ld/scignore false
def/sc{scignore{pop pop pop}{0 index 2 index eq 2 index 4 index eq
and{pop pop 255 div setgray}{3{255 div 3 1 roll}repeat setrgbcolor}ifelse}ifelse}bd
/FC{bR bG bB sc}bd/fC{/bB ed/bG ed/bR ed}bd/HC{hR hG hB sc}bd/hC{
/hB ed/hG ed/hR ed}bd/PC{pR pG pB sc}bd/pC{/pB ed/pG ed/pR ed}bd/sM
matrix def/PenW 1 def/iPen 5 def/mxF matrix def/mxE matrix def/mxUE
matrix def/mxUF matrix def/fBE false def/iDevRes 72 0 matrix defaultmatrix
dtransform dup mul exch dup mul add sqrt def/fPP false def/SS{fPP{
/SV save def}{gs}ifelse}bd/RS{fPP{SV restore}{gr}ifelse}bd/EJ{gsave
showpage grestore}bd/#C{userdict begin/#copies ed end}bd/FEbuf 2 string
def/FEglyph(G  )def/FE{1 exch{dup 16 FEbuf cvrs FEglyph exch 1 exch
putinterval 1 index exch FEglyph cvn put}for}bd/SM{/iRes ed/cyP ed
/cxPg ed/cyM ed/cxM ed 72 100 div dup scale dup 0 ne{90 eq{cyM exch
0 eq{cxM exch tr -90 rotate -1 1 scale}{cxM cxPg add exch tr +90 rotate}ifelse}{cyP
cyM sub exch 0 ne{cxM exch tr -90 rotate}{cxM cxPg add exch tr -90
rotate 1 -1 scale}ifelse}ifelse}{pop cyP cyM sub exch 0 ne{cxM cxPg
add exch tr 180 rotate}{cxM exch tr 1 -1 scale}ifelse}ifelse 100 iRes
div dup scale 0 0 transform .25 add round .25 sub exch .25 add round
.25 sub exch itransform translate}bd/SJ{1 index 0 eq{pop pop/fBE false
def}{1 index/Break ed div/dxBreak ed/fBE true def}ifelse}bd/ANSIVec[
16#0/grave 16#1/acute 16#2/circumflex 16#3/tilde 16#4/macron 16#5/breve
16#6/dotaccent 16#7/dieresis 16#8/ring 16#9/cedilla 16#A/hungarumlaut
16#B/ogonek 16#C/caron 16#D/dotlessi 16#27/quotesingle 16#60/grave
16#7C/bar 16#82/quotesinglbase 16#83/florin 16#84/quotedblbase 16#85
/ellipsis 16#86/dagger 16#87/daggerdbl 16#89/perthousand 16#8A/Scaron
16#8B/guilsinglleft 16#8C/OE 16#91/quoteleft 16#92/quoteright 16#93
/quotedblleft 16#94/quotedblright 16#95/bullet 16#96/endash 16#97
/emdash 16#99/trademark 16#9A/scaron 16#9B/guilsinglright 16#9C/oe
16#9F/Ydieresis 16#A0/space 16#A4/currency 16#A6/brokenbar 16#A7/section
16#A8/dieresis 16#A9/copyright 16#AA/ordfeminine 16#AB/guillemotleft
16#AC/logicalnot 16#AD/hyphen 16#AE/registered 16#AF/macron 16#B0/degree
16#B1/plusminus 16#B2/twosuperior 16#B3/threesuperior 16#B4/acute 16#B5
/mu 16#B6/paragraph 16#B7/periodcentered 16#B8/cedilla 16#B9/onesuperior
16#BA/ordmasculine 16#BB/guillemotright 16#BC/onequarter 16#BD/onehalf
16#BE/threequarters 16#BF/questiondown 16#C0/Agrave 16#C1/Aacute 16#C2
/Acircumflex 16#C3/Atilde 16#C4/Adieresis 16#C5/Aring 16#C6/AE 16#C7
/Ccedilla 16#C8/Egrave 16#C9/Eacute 16#CA/Ecircumflex 16#CB/Edieresis
16#CC/Igrave 16#CD/Iacute 16#CE/Icircumflex 16#CF/Idieresis 16#D0/Eth
16#D1/Ntilde 16#D2/Ograve 16#D3/Oacute 16#D4/Ocircumflex 16#D5/Otilde
16#D6/Odieresis 16#D7/multiply 16#D8/Oslash 16#D9/Ugrave 16#DA/Uacute
16#DB/Ucircumflex 16#DC/Udieresis 16#DD/Yacute 16#DE/Thorn 16#DF/germandbls
16#E0/agrave 16#E1/aacute 16#E2/acircumflex 16#E3/atilde 16#E4/adieresis
16#E5/aring 16#E6/ae 16#E7/ccedilla 16#E8/egrave 16#E9/eacute 16#EA
/ecircumflex 16#EB/edieresis 16#EC/igrave 16#ED/iacute 16#EE/icircumflex
16#EF/idieresis 16#F0/eth 16#F1/ntilde 16#F2/ograve 16#F3/oacute 16#F4
/ocircumflex 16#F5/otilde 16#F6/odieresis 16#F7/divide 16#F8/oslash
16#F9/ugrave 16#FA/uacute 16#FB/ucircumflex 16#FC/udieresis 16#FD/yacute
16#FE/thorn 16#FF/ydieresis ] def/reencdict 12 dict def/IsChar{basefontdict
/CharStrings get exch known}bd/MapCh{dup IsChar not{pop/bullet}if
newfont/Encoding get 3 1 roll put}bd/MapDegree{16#b0/degree IsChar{
/degree}{/ring}ifelse MapCh}bd/MapBB{16#a6/brokenbar IsChar{/brokenbar}{
/bar}ifelse MapCh}bd/ANSIFont{reencdict begin/newfontname ed/basefontname
ed FontDirectory newfontname known not{/basefontdict basefontname findfont
def/newfont basefontdict maxlength dict def basefontdict{exch dup/FID
ne{dup/Encoding eq{exch dup length array copy newfont 3 1 roll put}{exch
newfont 3 1 roll put}ifelse}{pop pop}ifelse}forall newfont/FontName
newfontname put 127 1 159{newfont/Encoding get exch/bullet put}for
ANSIVec aload pop ANSIVec length 2 idiv{MapCh}repeat MapDegree MapBB
newfontname newfont definefont pop}if newfontname end}bd/SB{FC/ULlen
ed/str ed str length fBE not{dup 1 gt{1 sub}if}if/cbStr ed/dxGdi ed
/y0 ed/x0 ed str stringwidth dup 0 ne{/y1 ed/x1 ed y1 y1 mul x1 x1
mul add sqrt dxGdi exch div 1 sub dup x1 mul cbStr div exch y1 mul
cbStr div}{exch abs neg dxGdi add cbStr div exch}ifelse/dyExtra ed
/dxExtra ed x0 y0 M fBE{dxBreak 0 BCh dxExtra dyExtra str awidthshow}{dxExtra
dyExtra str ashow}ifelse fUL{x0 y0 M dxUL dyUL rmt ULlen fBE{Break
add}if 0 mxUE transform gs rlt cyUL sl [] 0 setdash st gr}if fSO{x0
y0 M dxSO dySO rmt ULlen fBE{Break add}if 0 mxUE transform gs rlt cyUL
sl [] 0 setdash st gr}if n/fBE false def}bd/font{/name ed/Ascent ed
0 ne/fT3 ed 0 ne/fSO ed 0 ne/fUL ed/Sy ed/Sx ed 10.0 div/ori ed -10.0
div/esc ed/BCh ed name findfont/xAscent 0 def/yAscent Ascent def/ULesc
esc def ULesc mxUE rotate pop fT3{/esc 0 def xAscent yAscent mxUE transform
/yAscent ed/xAscent ed}if [Sx 0 0 Sy neg xAscent yAscent] esc mxE
rotate mxF concatmatrix makefont setfont [Sx 0 0 Sy neg 0 Ascent] mxUE
mxUF concatmatrix pop fUL{currentfont dup/FontInfo get/UnderlinePosition
known not{pop/Courier findfont}if/FontInfo get/UnderlinePosition get
1000 div 0 exch mxUF transform/dyUL ed/dxUL ed}if fSO{0 .3 mxUF transform
/dySO ed/dxSO ed}if fUL fSO or{currentfont dup/FontInfo get/UnderlineThickness
known not{pop/Courier findfont}if/FontInfo get/UnderlineThickness get
1000 div Sy mul/cyUL ed}if}bd/min{2 copy gt{exch}if pop}bd/max{2 copy
lt{exch}if pop}bd/CP{/ft ed{{ft 0 eq{clip}{eoclip}ifelse}stopped{currentflat
1 add setflat}{exit}ifelse}loop}bd/patfont 10 dict def patfont begin
/FontType 3 def/FontMatrix [1 0 0 -1 0 0] def/FontBBox [0 0 16 16]
def/Encoding StandardEncoding def/BuildChar{pop pop 16 0 0 0 16 16
setcachedevice 16 16 false [1 0 0 1 .25 .25]{pat}imagemask}bd end/p{
/pat 32 string def{}forall 0 1 7{dup 2 mul pat exch 3 index put dup
2 mul 1 add pat exch 3 index put dup 2 mul 16 add pat exch 3 index
put 2 mul 17 add pat exch 2 index put pop}for}bd/pfill{/PatFont patfont
definefont setfont/ch(AAAA)def X0 64 X1{Y1 -16 Y0{1 index exch M ch
show}for pop}for}bd/vert{X0 w X1{dup Y0 M Y1 L st}for}bd/horz{Y0 w
Y1{dup X0 exch M X1 exch L st}for}bd/fdiag{X0 w X1{Y0 M X1 X0 sub dup
rlt st}for Y0 w Y1{X0 exch M Y1 Y0 sub dup rlt st}for}bd/bdiag{X0 w
X1{Y1 M X1 X0 sub dup neg rlt st}for Y0 w Y1{X0 exch M Y1 Y0 sub dup
neg rlt st}for}bd/AU{1 add cvi 15 or}bd/AD{1 sub cvi -16 and}bd/SHR{pathbbox
AU/Y1 ed AU/X1 ed AD/Y0 ed AD/X0 ed}bd/hfill{/w iRes 37.5 div round
def 0.1 sl [] 0 setdash n dup 0 eq{horz}if dup 1 eq{vert}if dup 2 eq{fdiag}if
dup 3 eq{bdiag}if dup 4 eq{horz vert}if 5 eq{fdiag bdiag}if}bd/F{/ft
ed fm 256 and 0 ne{gs FC ft 0 eq{fill}{eofill}ifelse gr}if fm 1536
and 0 ne{SHR gs HC ft CP fm 1024 and 0 ne{/Tmp save def pfill Tmp restore}{fm
15 and hfill}ifelse gr}if}bd/S{PenW sl PC st}bd/m matrix def/GW{iRes
12 div PenW add cvi}bd/DoW{iRes 50 div PenW add cvi}bd/DW{iRes 8 div
PenW add cvi}bd/SP{/PenW ed/iPen ed iPen 0 eq iPen 6 eq or{[] 0 setdash}if
iPen 1 eq{[DW GW] 0 setdash}if iPen 2 eq{[DoW GW] 0 setdash}if iPen
3 eq{[DW GW DoW GW] 0 setdash}if iPen 4 eq{[DW GW DoW GW DoW GW] 0
setdash}if}bd/E{m cm pop tr scale 1 0 moveto 0 0 1 0 360 arc cp m sm}bd
/AG{/sy ed/sx ed sx div 4 1 roll sy div 4 1 roll sx div 4 1 roll sy
div 4 1 roll atan/a2 ed atan/a1 ed sx sy scale a1 a2 ARC}def/A{m cm
pop tr AG m sm}def/P{m cm pop tr 0 0 M AG cp m sm}def/RRect{n 4 copy
M 3 1 roll exch L 4 2 roll L L cp}bd/RRCC{/r ed/y1 ed/x1 ed/y0 ed/x0
ed x0 x1 add 2 div y0 M x1 y0 x1 y1 r arcto 4{pop}repeat x1 y1 x0 y1
r arcto 4{pop}repeat x0 y1 x0 y0 r arcto 4{pop}repeat x0 y0 x1 y0 r
arcto 4{pop}repeat cp}bd/RR{2 copy 0 eq exch 0 eq or{pop pop RRect}{2
copy eq{pop RRCC}{m cm pop/y2 ed/x2 ed/ys y2 x2 div 1 max def/xs x2
y2 div 1 max def/y1 exch ys div def/x1 exch xs div def/y0 exch ys div
def/x0 exch xs div def/r2 x2 y2 min def xs ys scale x0 x1 add 2 div
y0 M x1 y0 x1 y1 r2 arcto 4{pop}repeat x1 y1 x0 y1 r2 arcto 4{pop}repeat
x0 y1 x0 y0 r2 arcto 4{pop}repeat x0 y0 x1 y0 r2 arcto 4{pop}repeat
m sm cp}ifelse}ifelse}bd/PP{{rlt}repeat}bd/OB{gs 0 ne{7 3 roll/y ed
/x ed x y translate ULesc rotate x neg y neg translate x y 7 -3 roll}if
sc B fill gr}bd/B{M/dy ed/dx ed dx 0 rlt 0 dy rlt dx neg 0 rlt cp}bd
/CB{B clip n}bd/ErrHandler{errordict dup maxlength exch length gt
dup{errordict begin}if/errhelpdict 12 dict def errhelpdict begin/stackunderflow(operand stack underflow)def
/undefined(this name is not defined in a dictionary)def/VMerror(you have used up all the printer's memory)def
/typecheck(operator was expecting a different type of operand)def
/ioerror(input/output error occured)def end{end}if errordict begin
/handleerror{$error begin newerror{/newerror false def showpage 72
72 scale/x .25 def/y 9.6 def/Helvetica findfont .2 scalefont setfont
x y moveto(Offending Command = )show/command load{dup type/stringtype
ne{(max err string)cvs}if show}exec/y y .2 sub def x y moveto(Error = )show
errorname{dup type dup( max err string )cvs show( : )show/stringtype
ne{( max err string )cvs}if show}exec errordict begin errhelpdict errorname
known{x 1 add y .2 sub moveto errhelpdict errorname get show}if end
/y y .4 sub def x y moveto(Stack =)show ostack{/y y .2 sub def x 1
add y moveto dup type/stringtype ne{( max err string )cvs}if show}forall
showpage}if end}def end}bd end
%%EndResource
/SVDoc save def
%%EndProlog
%%BeginSetup
Win35Dict begin
ErrHandler
statusdict begin 0 setjobtimeout end
statusdict begin statusdict /jobname (Microsoft Word - FIRETHTS.DOC) put end
/oldDictCnt countdictstack def {}stopped 
{ countdictstack oldDictCnt lt { Win35Dict begin } 
{1 1 countdictstack oldDictCnt sub {pop end } for } ifelse } if 
/oldDictCnt countdictstack def {letter
}stopped 
{ countdictstack oldDictCnt lt { Win35Dict begin } 
{1 1 countdictstack oldDictCnt sub {pop end } for } ifelse } if 
[
{mark 1.0 1.0 .98 .9 .82 .68 .56 .48 .28 .1 .06 .0 counttomark dup 3 add -1 roll exch 2 sub mul dup floor cvi dup 3 1 roll sub exch dup  3 add index exch 2 add index dup 4 1 roll sub mul add counttomark 1 add 1 roll  cleartomark } bind
/exec load currenttransfer /exec load] cvx settransfer
/setresolution where { pop 300 300 setresolution } if
%%EndSetup
%%Page: 1 1
%%PageResources: (atend)
SS
0 0 25 11 798 1100 300 SM
32 0 0 58 58 0 0 0 54 /Times-Bold /font29 ANSIFont font
0 0 0 fC
889 369 622 (Thinking about Firewalls) 622 SB
32 0 0 58 58 0 0 0 53 /Times-Roman /font32 ANSIFont font
997 508 406 (Marcus J. Ranum) 406 SB
32 0 0 50 50 0 0 0 45 /Times-Italic /font31 ANSIFont font
1018 602 364 (mjr @
 dco .
 dec .
 com) 364 SB
32 0 0 50 50 0 0 0 45 /Times-Roman /font32 ANSIFont font
890 686 619 (Digital Equipment Corporation) 619 SB
543 770 1313 (Washington Open Systems Resource Center, Greenbelt, Maryland) 1313 SB
597 929 1454 (Many companies connect to the Internet, guarded by "firewalls" designed) 1454 SB
399 988 1646 (to prevent unauthorized access to their private networks. Despite this general goal,) 1646 SB
399 1047 1612 (many firewalls fall widely apart on a continuum between ease of use and security.) 1612 SB
399 1106 1639 (This paper attempts to describe some of the background and tradeoffs in designing) 1639 SB
399 1165 1614 (firewalls. A vocabulary for firewalls and their components is offered, to provide a) 1614 SB
399 1224 627 (common ground for discussion.) 627 SB
32 0 0 50 50 0 0 0 46 /Times-Bold /font29 ANSIFont font
300 1383 353 (Why a Firewall?) 353 SB
32 0 0 42 42 0 0 0 38 /Times-Roman /font32 ANSIFont font
399 1492 1696 (The rationale for installing a firewall is almost always to protect a private network against intrusion.) 1696 SB
300 1542 1694 (In most cases, the purpose of the firewall is to prevent unauthorized users from accessing computing) 1694 SB
300 1592 1730 (resources on a private network, and often to prevent unnoticed and unauthorized  export of proprietary) 1730 SB
300 1642 1759 (information. In some cases export of information is not considered important, but for many corporations) 1759 SB
300 1692 1225 (that are connecting this is a major though possibly unreasoning concern.) 1225 SB
399 1792 1263 (Often it is safe to say that a firewall needs to be put in place for the "CYA") 1263 SB
32 0 0 33 33 0 0 0 29 /Times-Roman /font32 ANSIFont font
1662 1788 17 (1) 17 SB
32 0 0 42 42 0 0 0 38 /Times-Roman /font32 ANSIFont font
1679 1792 397 ( factor. Even though an) 397 SB
300 1842 1738 (employee could compromise proprietary information by carrying it offsite on a DAT or floppy disk, the) 1738 SB
300 1892 1232 (Internet represents a tangible threat, populated with dangerous "hackers") 1232 SB
32 0 0 33 33 0 0 0 29 /Times-Roman /font32 ANSIFont font
1532 1888 17 (2) 17 SB
32 0 0 42 42 0 0 0 38 /Times-Roman /font32 ANSIFont font
1549 1892 545 ( and other vandals. It could very) 545 SB
300 1942 1731 (easily cost a network manager his job if a break-in occurs via this route, even if the damage is no more) 1731 SB
300 1992 1781 (extensive than could have been inflicted over a dial-up line or by a disgruntled employee. Generally, for a) 1781 SB
300 2042 1632 (would-be Internet-connected site, the technical difficulties of implementing a firewall are greatly) 1632 SB
300 2092 1715 (outweighed by the public relations problems of "selling" upper management on the idea. In summary,) 1715 SB
300 2142 1775 (because Internet services are so highly visible, they are much more likely to require official oversight and) 1775 SB
300 2192 211 (justification.) 211 SB
32 0 0 50 50 0 0 0 46 /Times-Bold /font29 ANSIFont font
300 2292 356 (Design Decisions) 356 SB
32 0 0 42 42 0 0 0 38 /Times-Roman /font32 ANSIFont font
399 2401 1578 (In configuring a firewall, the major design decisions with respect to security are often already) 1578 SB
300 2451 1792 (dictated by corporate or organizational policy; specifically, a decision must be made as to whether security) 1792 SB
300 2501 1709 (is more important than ease-of-use, or vice versa. There are two basic approaches that summarize the) 1709 SB
300 2551 139 (conflict:) 139 SB
32 0 0 42 42 0 0 0 42 /Symbol font
gs 418 3231 0 0 CB
399 2647 19 (\267) 19 SB
gr
32 0 0 42 42 0 0 0 38 /Times-Roman /font32 ANSIFont font
450 2651 871 (That which is not expressly permitted is prohibited.) 871 SB
32 0 0 42 42 0 0 0 42 /Symbol font
gs 418 3231 0 0 CB
399 2747 19 (\267) 19 SB
gr
32 0 0 42 42 0 0 0 38 /Times-Roman /font32 ANSIFont font
450 2751 871 (That which is not expressly prohibited is permitted.) 871 SB
32 0 0 42 42 0 1 0 38 /Times-Roman /font32 ANSIFont font
300 2819 220 (                    ) 220 SB
520 2819 220 (                    ) 220 SB
740 2819 165 (               ) 165 SB
32 0 0 33 33 0 0 0 29 /Times-Roman /font32 ANSIFont font
300 2865 17 (1) 17 SB
32 0 0 42 42 0 0 0 38 /Times-Roman /font32 ANSIFont font
317 2869 804 (``Cover Your Assets'' - this is a PG rated paper.) 804 SB
32 0 0 33 33 0 0 0 29 /Times-Roman /font32 ANSIFont font
300 2915 17 (2) 17 SB
32 0 0 42 42 0 0 0 38 /Times-Roman /font32 ANSIFont font
317 2919 1695 (The term ``hacker'' used to describe system crackers is controversial  and offends many real hackers.) 1695 SB
1 #C
statusdict begin /manualfeed false store end
EJ RS
%%PageTrailer
%%PageResources: font Symbol
%%+ font Times-Bold
%%+ font Times-Italic
%%+ font Times-Roman
%%Page: 2 2
%%PageResources: (atend)
SS
0 0 25 11 798 1100 300 SM
32 0 0 42 42 0 0 0 38 /Times-Roman /font32 ANSIFont font
0 0 0 fC
399 269 1666 (The importance of this distinction cannot be overemphasized. In the former case, the firewall must) 1666 SB
300 319 1770 (be designed to block everything, and services must be enabled on a case-by-case basis only after a careful) 1770 SB
300 369 1631 (assessment of need and risk. This tends to directly impact users, and they may see the firewall as) 1631 SB
300 419 1741 (hindrance. In the second case, the systems administrator is placed in a reactive mode, having to predict) 1741 SB
300 469 1751 (what kinds of actions the user population might take that would weaken the security of the firewall, and) 1751 SB
300 519 1734 (preparing defenses against them. This essentially pits the firewall administrator against the users in an) 1734 SB
300 569 1719 (endless arms race that can become quite fierce.  A user can generally compromise the security of their) 1719 SB
300 619 1767 (login if they try to or aren't aware of reasonable security precautions. If the user has an open access login) 1767 SB
300 669 1785 (on the firewall itself, a serious security breach can result. The presence of user logins on the firewall itself) 1785 SB
300 719 1133 (tends to magnify the problem of maintaining the system's integrity.) 1133 SB
32 0 0 50 50 0 0 0 46 /Times-Bold /font29 ANSIFont font
300 819 347 (Levels of Threat) 347 SB
32 0 0 42 42 0 0 0 38 /Times-Roman /font32 ANSIFont font
399 928 1606 (There are several ways in which a firewall can fail or be compromised. While none of them are) 1606 SB
300 978 1760 (good, some are decidedly worse than others. Since the purpose of many firewalls is to block access, it's a) 1760 SB
300 1028 1692 (clear failure if someone finds a loophole through it that permits them to probe systems in the private) 1692 SB
300 1078 1748 (network. An even more severe situation would result if someone managed to break into the firewall and) 1748 SB
300 1128 1624 (reconfigure it such that the entire private network is reachable by all and sundry. For the sake of) 1624 SB
300 1178 1783 (terminology, this type of attack will be referred to as "destroying" a firewall, as opposed to a mere "break-) 1783 SB
300 1228 1796 (in." It is extremely difficult to quantify the damage that might result from a firewall's destruction. Another) 1796 SB
300 1278 1752 (issue in quantifying how a firewall resists threat is what kind of information is gathered that might help) 1752 SB
300 1328 1794 (the firewall administrator determine the course of an attack. The absolute worst thing that could happen is) 1794 SB
300 1378 1795 (for a firewall to be completely compromised without any trace of how the attack took place. The best thing) 1795 SB
300 1428 1654 (that can happen is for a firewall to detect an attack, and inform the administrator politely that it is) 1654 SB
300 1478 898 (undergoing attack, but that the attack is going to fail.) 898 SB
399 1578 1687 (One way to view the result of a firewall being compromised is to look at things in terms of what can) 1687 SB
300 1628 1720 (be roughly termed as "zones of risk". In the case of a network that is directly connected to the Internet) 1720 SB
300 1678 1674 (without any firewall, the entire network is subject to attack. This does not imply that the network is) 1674 SB
32 0 0 42 42 0 0 0 38 /Times-Italic /font31 ANSIFont font
300 1728 181 (vulnerable) 181 SB
32 0 0 42 42 0 0 0 38 /Times-Roman /font32 ANSIFont font
481 1728 1604 ( to attack, but in a situation where an entire network is within reach of an untrusted network, it) 1604 SB
300 1778 1736 (is necessary to ensure the security of every single host on that network. Practical experience shows that) 1736 SB
300 1828 530 (this is difficult, since tools like ) 530 SB
32 0 0 42 42 0 0 0 38 /Times-Italic /font31 ANSIFont font
830 1828 103 (rlogin) 103 SB
32 0 0 42 42 0 0 0 38 /Times-Roman /font32 ANSIFont font
933 1828 1134 ( that permit user-customizable access control are often exploited by) 1134 SB
300 1878 1738 (vandals to gain access to multiple hosts, in a form of "island hopping" attack. In the case of any typical) 1738 SB
300 1928 1793 (firewall, the zone of risk is often reduced to the firewall itself, or a selected subset of hosts on the network,) 1793 SB
300 1978 1785 (significantly reducing the network manager's concerns with respect to direct attack. If a firewall is broken) 1785 SB
300 2028 1785 (in to, the zone of risk often expands again, to include the entire protected network; often a vandal gaining) 1785 SB
300 2078 1775 (access to a login on the firewall can begin an island hopping attack into the private network, using it as a) 1775 SB
300 2128 1779 (base. In this situation, there is still some hope, since the vandal may leave traces on the firewall, and may) 1779 SB
300 2178 1778 (be detected. If the firewall is completely destroyed, however, the private network is entirely in the zone of) 1778 SB
300 2228 1631 (risk,  but can undergo attack from any external system, and the chances of having useful logging) 1631 SB
300 2278 833 (information to analyze the attacks are very small.) 833 SB
399 2378 1672 (In general, firewalls can be viewed in terms of reducing the zone of risk to a single point of failure.) 1672 SB
300 2428 1747 (In a theoretical sense, this seems like a bad idea, since it amounts to putting all of one's eggs in a single) 1747 SB
300 2478 1773 (basket, but practical experience implies that at any given time, for a network of non-trivial size, there are) 1773 SB
300 2528 1771 (at least a few hosts that are vulnerable to break-in by even an unskilled attacker. Many corporations have) 1771 SB
300 2578 1745 (formal host security policies that are designed to address these weaknesses, but it is sheer foolishness to) 1745 SB
300 2628 1734 (assume that publishing policies will suffice. A firewall does not replace host security, it enhances it, by) 1734 SB
300 2678 1739 (funneling attackers through a narrow gap, where there's at least a chance of catching them or detecting) 1739 SB
300 2728 1734 (them first. The well-constructed medieval castle had multiple walls and interlocking defense points for) 1734 SB
300 2778 411 (exactly the same reason.) 411 SB
32 0 0 50 50 0 0 0 46 /Times-Bold /font29 ANSIFont font
300 2878 700 (Firewalls and Their Components) 700 SB
1 #C
statusdict begin /manualfeed false store end
EJ RS
%%PageTrailer
%%PageResources: font Times-Bold
%%+ font Times-Italic
%%+ font Times-Roman
%%Page: 3 3
%%PageResources: (atend)
SS
0 0 25 11 798 1100 300 SM
32 0 0 42 42 0 0 0 38 /Times-Roman /font32 ANSIFont font
0 0 0 fC
399 269 1637 (In discussing firewalls there is often confusion of terminology since firewalls all differ slightly in) 1637 SB
300 319 1722 (implementation if not in purpose. Various discussions on USENET indicate that the term "firewall" is) 1722 SB
300 369 1704 (used to describe just about any inter-network security scheme. For the sake of simplifying discussion,) 1704 SB
300 419 1026 (some terminology is proposed, to provide a common ground:) 1026 SB
32 0 0 42 42 0 0 0 42 /Symbol font
gs 420 3231 0 0 CB
400 516 20 (\267) 20 SB
gr
gs 420 3231 0 0 CB
399 516 20 (\267) 20 SB
gr
32 0 0 42 42 0 0 0 39 /Times-Bold /font29 ANSIFont font
450 519 313 (Screening Router) 313 SB
32 0 0 42 42 0 0 0 38 /Times-Roman /font32 ANSIFont font
763 520 1325 ( - A screening router is a basic component of most firewalls. Screening routers) 1325 SB
300 570 1743 (can be a commercial router or a host-based router with some kind of packet filtering capability. Typical) 1743 SB
300 620 1757 (screening routers have the ability to block traffic between networks or specific hosts, on an IP port level.) 1757 SB
300 670 1652 (Some firewalls consist of nothing more than a screening router between a private network and the) 1652 SB
300 720 144 (Internet.) 144 SB
32 0 0 42 42 0 0 0 42 /Symbol font
gs 420 3231 0 0 CB
400 817 20 (\267) 20 SB
gr
gs 420 3231 0 0 CB
399 817 20 (\267) 20 SB
gr
32 0 0 42 42 0 0 0 39 /Times-Bold /font29 ANSIFont font
450 820 230 (Bastion host ) 230 SB
32 0 0 42 42 0 0 0 38 /Times-Roman /font32 ANSIFont font
680 821 1358 (- Bastions are the highly fortified parts of a medieval castle; points that overlook) 1358 SB
300 871 1741 (critical areas of defense, usually having stronger walls, room for extra troops, and the occasional useful) 1741 SB
300 921 1681 (tub of boiling hot oil for discouraging attackers. A bastion host is a system identified by the firewall) 1681 SB
300 971 1761 (administrator as a critical strong point in the network's security. Generally, bastion hosts will have some) 1761 SB
300 1021 1673 (degree of extra attention paid to their security, may undergo regular audits, and may have modified) 1673 SB
300 1071 153 (software.) 153 SB
32 0 0 42 42 0 0 0 42 /Symbol font
gs 420 3231 0 0 CB
400 1168 20 (\267) 20 SB
gr
gs 420 3231 0 0 CB
399 1168 20 (\267) 20 SB
gr
32 0 0 42 42 0 0 0 39 /Times-Bold /font29 ANSIFont font
450 1171 395 (Dual Homed Gateway) 395 SB
32 0 0 42 42 0 0 0 38 /Times-Roman /font32 ANSIFont font
845 1172 1232 ( - Some firewalls are implemented without a screening router, by placing) 1232 SB
300 1222 1717 (a system on both the private network and the Internet, and disabling TCP/IP forwarding. Hosts on the) 1717 SB
300 1272 1796 (private network can communicate with the gateway, as can hosts on the Internet, but direct traffic between) 1796 SB
300 1322 1345 (the networks is blocked. A dual homed gateway is, by definition, a bastion host.) 1345 SB
32 0 0 42 42 0 0 0 42 /Symbol font
gs 420 3231 0 0 CB
400 1419 20 (\267) 20 SB
gr
gs 420 3231 0 0 CB
399 1419 20 (\267) 20 SB
gr
32 0 0 42 42 0 0 0 39 /Times-Bold /font29 ANSIFont font
450 1422 428 (Screened Host Gateway) 428 SB
32 0 0 42 42 0 0 0 38 /Times-Roman /font32 ANSIFont font
878 1423 1172 ( - Possibly the most common firewall configuration is a screened host) 1172 SB
300 1473 1768 (gateway. This is implemented using a screening router and a bastion host. Usually, the bastion host is on) 1768 SB
300 1523 1795 (the private network, and the screening router is configured such that the bastion host is the only system on) 1795 SB
300 1573 925 (the private network that is reachable from the Internet.) 925 SB
32 0 0 42 42 0 0 0 42 /Symbol font
gs 420 3231 0 0 CB
400 1670 20 (\267) 20 SB
gr
gs 420 3231 0 0 CB
399 1670 20 (\267) 20 SB
gr
32 0 0 42 42 0 0 0 39 /Times-Bold /font29 ANSIFont font
450 1673 299 (Screened Subnet) 299 SB
32 0 0 42 42 0 0 0 38 /Times-Roman /font32 ANSIFont font
749 1674 1213 ( - In some firewall configurations, an isolated subnet is created, situated) 1213 SB
300 1724 1763 (between the Internet and the private network. Typically, this network is isolated using screening routers,) 1763 SB
300 1774 1800 (which may implement varying levels of filtering. Generally, a screened subnet is configured such that both) 1800 SB
300 1824 1713 (the Internet and the private network have access to hosts on the screened subnet, but traffic across the) 1713 SB
300 1874 457 (screened subnet is blocked.) 457 SB
32 0 0 42 42 0 0 0 42 /Symbol font
gs 420 3231 0 0 CB
400 1971 20 (\267) 20 SB
gr
gs 420 3231 0 0 CB
399 1971 20 (\267) 20 SB
gr
32 0 0 42 42 0 0 0 39 /Times-Bold /font29 ANSIFont font
450 1974 379 (Application Gateway) 379 SB
32 0 0 42 42 0 0 0 38 /Times-Roman /font32 ANSIFont font
829 1975 1270 ( - Much of the software on the Internet works in a store-and-forward mode;) 1270 SB
300 2025 1795 (mailers and USENET news collect input, examine it, and forward it. Generally, these forwarding services,) 1795 SB
300 2075 1411 (when running on a firewall, are important to the security of the whole. The famous ) 1411 SB
32 0 0 42 42 0 0 0 38 /Times-Italic /font31 ANSIFont font
1711 2075 152 (sendmail) 152 SB
32 0 0 42 42 0 0 0 38 /Times-Roman /font32 ANSIFont font
1863 2075 234 ( hole that was) 234 SB
300 2125 1722 (exploited by the Morris Internet worm is one example of the kinds of security problems an application) 1722 SB
300 2175 1293 (gateway can present. Other application gateways are interactive, such as the ) 1293 SB
32 0 0 42 42 0 0 0 38 /Times-Italic /font31 ANSIFont font
1593 2175 73 (FTP) 73 SB
32 0 0 42 42 0 0 0 38 /Times-Roman /font32 ANSIFont font
1666 2175 84 ( and ) 84 SB
32 0 0 42 42 0 0 0 38 /Times-Italic /font31 ANSIFont font
1750 2175 149 (TELNET) 149 SB
32 0 0 42 42 0 0 0 38 /Times-Roman /font32 ANSIFont font
1899 2175 164 ( gateways) 164 SB
300 2225 1787 (run on the Digital firewalls. In general, the term "application gateway" will be used to describe some kind) 1787 SB
300 2275 1735 (of forwarding service that runs across a firewall, and is a potential security concern. In general, crucial) 1735 SB
300 2325 990 (application gateways are run on some kind of bastion host.) 990 SB
32 0 0 42 42 0 0 0 42 /Symbol font
gs 418 3231 0 0 CB
399 2422 19 (\267) 19 SB
gr
32 0 0 42 42 0 0 0 39 /Times-Bold /font29 ANSIFont font
450 2425 317 (Hybrid Gateways) 317 SB
32 0 0 42 42 0 0 0 38 /Times-Roman /font32 ANSIFont font
767 2426 1304 ( - Hybrid gateways are the "something else" category in this list. Examples of) 1304 SB
300 2476 1770 (such systems might be hosts connected to the Internet, but accessible only from via serial lines connected) 1770 SB
300 2526 1731 (to an ethernet terminal server on the private network. Such gateways might take advantage of multiple) 1731 SB
300 2576 1748 (protocols, or tunneling one protocol over another, or possibly might maintain and monitor the complete) 1748 SB
300 2626 1731 (state of all TCP/IP connections, or somehow examine traffic to try to detect and prevent an attack. The) 1731 SB
300 2676 435 (AT&T corporate firewall ) 435 SB
32 0 0 33 33 0 0 0 29 /Times-Roman /font32 ANSIFont font
735 2685 39 ([1]) 39 SB
32 0 0 42 42 0 0 0 38 /Times-Roman /font32 ANSIFont font
774 2676 852 ( is a hybrid gateway combined with a bastion host.) 852 SB
32 0 0 50 50 0 0 0 46 /Times-Bold /font29 ANSIFont font
300 2776 556 (Fitting the Parts Together) 556 SB
1 #C
statusdict begin /manualfeed false store end
EJ RS
%%PageTrailer
%%PageResources: font Symbol
%%+ font Times-Bold
%%+ font Times-Italic
%%+ font Times-Roman
%%Page: 4 4
%%PageResources: (atend)
SS
0 0 25 11 798 1100 300 SM
32 0 0 42 42 0 0 0 38 /Times-Roman /font32 ANSIFont font
0 0 0 fC
399 269 1685 (Taking the components described above, we can accurately describe most of the forms that firewalls) 1685 SB
300 319 1784 (take, and can make some general statements about the kinds of security problems each approach presents.) 1784 SB
300 369 1742 (Assuming that  a firewall fulfills its basic purpose of helping protect the network, it is still important to) 1742 SB
300 419 767 (examine each type of firewall with respect to:) 767 SB
32 0 0 42 42 0 0 0 42 /Symbol font
gs 418 3231 0 0 CB
399 515 19 (\267) 19 SB
gr
32 0 0 42 42 0 0 0 38 /Times-Roman /font32 ANSIFont font
450 519 1600 (Damage control - If the firewall is compromised, what kinds of threats does it leave the private) 1600 SB
300 569 1768 (network open to? If the firewall is destroyed, what kinds of threats does it leave the private network open) 1768 SB
300 619 50 (to?) 50 SB
32 0 0 42 42 0 0 0 42 /Symbol font
gs 418 3231 0 0 CB
399 715 19 (\267) 19 SB
gr
32 0 0 42 42 0 0 0 38 /Times-Roman /font32 ANSIFont font
450 719 1628 (Zones of risk - How large is the zone of risk during normal operation? A basic measure of this is) 1628 SB
300 769 1301 (the number of hosts \(or routers\) that can be probed from the outside network.) 1301 SB
32 0 0 42 42 0 0 0 42 /Symbol font
gs 418 3231 0 0 CB
399 865 19 (\267) 19 SB
gr
32 0 0 42 42 0 0 0 38 /Times-Roman /font32 ANSIFont font
450 869 1617 (Failure mode - If the firewall is broken into, how easy is it to detect? If the firewall is destroyed,) 1617 SB
300 919 1779 (how easy is it to detect? In a post mortem, how much information is retained that can be used to diagnose) 1779 SB
300 969 182 (the attack?) 182 SB
32 0 0 42 42 0 0 0 42 /Symbol font
gs 418 3231 0 0 CB
399 1065 19 (\267) 19 SB
gr
32 0 0 42 42 0 0 0 38 /Times-Roman /font32 ANSIFont font
450 1069 1018 (Ease of use - How much of an inconvenience is the firewall?) 1018 SB
32 0 0 42 42 0 0 0 42 /Symbol font
gs 418 3231 0 0 CB
399 1165 19 (\267) 19 SB
gr
32 0 0 42 42 0 0 0 38 /Times-Roman /font32 ANSIFont font
450 1169 1606 (Stance - Is the basic design philosophy of the firewall "That which is not expressly permitted is) 1606 SB
300 1219 1233 (prohibited" or is it "That which is not expressly prohibited is permitted"?) 1233 SB
32 0 0 50 50 0 0 0 46 /Times-Bold /font29 ANSIFont font
300 1319 724 (Firewalls using Screening Routers) 724 SB
32 0 0 42 42 0 0 0 38 /Times-Roman /font32 ANSIFont font
399 1428 1629 (Many networks are firewalled using only a screening router between the private network and the) 1629 SB
300 1478 1693 (Internet. This type of firewall is different from a screened host gateway in that usually there is direct) 1693 SB
300 1528 1673 (communication permitted between multiple hosts on the private network, and multiple hosts on the) 1673 SB
300 1578 1726 (Internet. The zone of risk is equal to the number of hosts on the private networks, and the number and) 1726 SB
300 1628 1759 (type of services that the screening router permits traffic to. Supposing the screening router permits all of) 1759 SB
300 1678 1688 (the hosts on the private network to communicate with arbitrary hosts on the Internet over the SMTP) 1688 SB
300 1728 1800 (service port, to have a reasonable degree of security, every host on the private network must have a version) 1800 SB
300 1778 1777 (of the mailer that is free of security holes. For each service provided, the size of the zone of risk increases) 1777 SB
300 1828 1656 (sharply and, worse, it becomes very hard to quantify. Damage control is difficult as well, since the) 1656 SB
300 1878 1756 (network administrator would need to examine every individual host for traces of a break-in regularly, or) 1756 SB
300 1928 1584 (rely on stumbling upon a clue by an accident such as a mismatched system accounting record ) 1584 SB
32 0 0 33 33 0 0 0 29 /Times-Roman /font32 ANSIFont font
1884 1937 47 ([2].) 47 SB
32 0 0 42 42 0 0 0 38 /Times-Roman /font32 ANSIFont font
1931 1928 121 (  In the) 121 SB
300 1978 1778 (case of total destruction of the firewall, it tends to be very hard to trace or often to notice. If a commercial) 1778 SB
300 2028 1683 (router is used, which does not maintain logging records, and the router's administrative password is) 1683 SB
300 2078 1757 (compromised, the entire private network can be laid open to attack very easily. Cases where commercial) 1757 SB
300 2128 1763 (routers have been configured with erroneous screening rules, or have lost their screening rules and come) 1763 SB
300 2178 1486 (up in some default mode because of hardware error or operator error are not unheard of.) 1486 SB
399 2278 1650 (Ease of use is usually very high, however, since the user can directly access Internet services from) 1650 SB
300 2328 1623 (their system. Generally, this configuration is a case of "That which is not expressly prohibited is) 1623 SB
300 2378 1753 (permitted" as the ingenious user can fairly easily piggyback protocols to achieve a higher level of access) 1753 SB
300 2428 1764 (than the administrator expects or wants. Given a collaborator on an external host, it is left as an exercise) 1764 SB
300 2478 1070 (to the reader to implement a remote login stream protocol over ) 1070 SB
32 0 0 42 42 0 0 0 38 /Times-Italic /font31 ANSIFont font
1370 2478 98 (BIND) 98 SB
32 0 0 42 42 0 0 0 38 /Times-Roman /font32 ANSIFont font
1468 2478 568 ( \(Domain Name Service\) packets.) 568 SB
32 0 0 50 50 0 0 0 46 /Times-Bold /font29 ANSIFont font
300 2578 491 (Dual Homed Gateways) 491 SB
32 0 0 42 42 0 0 0 38 /Times-Roman /font32 ANSIFont font
399 2687 1647 (An often used and easy to implement firewall is the dual homed gateway. Since it doesn't forward) 1647 SB
300 2737 1764 (TCP/IP traffic, it acts as a complete block between the Internet and the private network. Its ease of use is) 1764 SB
300 2787 1638 (determined by how the systems manager chooses to set up access; either by providing application) 1638 SB
300 2837 298 (gateways such as ) 298 SB
32 0 0 42 42 0 0 0 38 /Times-Italic /font31 ANSIFont font
598 2837 149 (TELNET) 149 SB
32 0 0 42 42 0 0 0 38 /Times-Roman /font32 ANSIFont font
747 2837 1200 ( forwarders or by giving users logins on the gateway host. If the former) 1200 SB
300 2887 1602 (approach is taken, the stance of the firewall is clearly "That which is not expressly permitted is) 1602 SB
1 #C
statusdict begin /manualfeed false store end
EJ RS
%%PageTrailer
%%PageResources: font Symbol
%%+ font Times-Bold
%%+ font Times-Italic
%%+ font Times-Roman
%%Page: 5 5
%%PageResources: (atend)
SS
0 0 25 11 798 1100 300 SM
32 0 0 42 42 0 0 0 38 /Times-Roman /font32 ANSIFont font
0 0 0 fC
300 269 1773 (prohibited"; users can only access Internet services for which there is an application gateway. If users are) 1773 SB
300 319 1758 (permitted logins, then, in the opinion of the author, the firewall's security is seriously weakened. During) 1758 SB
300 369 1780 (normal operation, the only zone of risk is the gateway host itself, since it is the only host that is reachable) 1780 SB
300 419 1664 (from the Internet. If there are user logins on the gateway host, and one of the users chooses a weak) 1664 SB
300 469 1753 (password or has their account otherwise compromised, the zone of risk expands to encompass the entire) 1753 SB
300 519 1791 (private network. From a standpoint of damage control, the administrator may be able to track the progress) 1791 SB
300 569 1773 (of an intruder, based on the access patterns of the compromised login, but a skillful vandal can make this) 1773 SB
300 619 1736 (quite difficult. If a dual hosted gateway is configured without direct user access, damage control can be) 1736 SB
300 669 1795 (somewhat easier, since the very fact that someone has logged in to the gateway host becomes a noteworthy) 1795 SB
300 719 1748 (security event. Dual hosted gateways have an advantage over screening routers from the standpoint that) 1748 SB
300 769 1787 (their system software is often easier to adapt to maintain system logs, hard copy logs, or remote logs. This) 1787 SB
300 819 1615 (can make a post-mortem easier for the gateway host itself, but may or may not help the network) 1615 SB
300 869 1771 (administrator identify what other hosts on the private network may have been compromised in an island-) 1771 SB
300 919 262 (hopping attack.) 262 SB
399 1019 1697 (Attacking a dual hosted gateway leaves the attacker a fairly large array of options. Since the attacker) 1697 SB
300 1069 1794 (has what amounts to local network access if a login can be obtained, all the usual attacks that can be made) 1794 SB
300 1119 1305 (over a local network are available. NFS-mounted file systems, weaknesses in ) 1305 SB
32 0 0 42 42 0 0 0 38 /Times-Italic /font31 ANSIFont font
1605 1119 113 (.rhosts) 113 SB
32 0 0 42 42 0 0 0 38 /Times-Roman /font32 ANSIFont font
1718 1119 270 ( files, automatic) 270 SB
300 1169 1788 (software distribution systems, network backup programs and administrative shell scripts - all may provide) 1788 SB
300 1219 1674 (a toehold on systems on the internal network, which may then provide a base from which to launch) 1674 SB
300 1269 564 (attacks back at the gateway itself.) 564 SB
399 1369 1649 (The weakest aspect of the dual hosted gateway is this: if the firewall is destroyed, since the host is) 1649 SB
300 1419 1756 (essentially a router with routing functionality disabled, it is possible that a skillful attacker might enable) 1756 SB
300 1469 1646 (routing and throw the entire private network open to attack. In the usual UNIX-based dual hosted) 1646 SB
300 1519 1366 (gateway, TCP/IP routing is often disabled by modifying a kernel variable named ) 1366 SB
32 0 0 42 42 0 0 0 38 /Times-Italic /font31 ANSIFont font
1666 1519 220 (ipforwarding) 220 SB
32 0 0 42 42 0 0 0 38 /Times-Roman /font32 ANSIFont font
1886 1519 189 (; if systems) 189 SB
300 1569 1774 (privileges can be obtained or stolen on the gateway, this variable can be changed. Perhaps this seems far-) 1774 SB
300 1619 1752 (fetched, but unless great care is paid to monitoring the software revision levels and configuration on the) 1752 SB
300 1669 1755 (gateway host, it is not improbable that a vandal with a copy of the release notes for the operating system) 1755 SB
300 1719 810 (version and a login can compromise the system.) 810 SB
32 0 0 50 50 0 0 0 46 /Times-Bold /font29 ANSIFont font
300 1819 527 (Screened Host Gateways) 527 SB
32 0 0 42 42 0 0 0 38 /Times-Roman /font32 ANSIFont font
399 1928 1401 (Several articles have described screened host gateways, and how to construct them ) 1401 SB
32 0 0 33 33 0 0 0 29 /Times-Roman /font32 ANSIFont font
1800 1937 64 ([3,4]) 64 SB
32 0 0 42 42 0 0 0 38 /Times-Roman /font32 ANSIFont font
1864 1928 198 (. Generally,) 198 SB
300 1978 1749 (the screened host gateway is very secure, while remaining fairly easy to implement. Typically, a bastion) 1749 SB
300 2028 1724 (host is configured on the private network, with a screening router between the Internet and the private) 1724 SB
300 2078 1737 (network, which only permits Internet access to the bastion host. Since the bastion host is on the private) 1737 SB
300 2128 1799 (network, connectivity for local users is very good, and problems presented by exotic routing configurations) 1799 SB
300 2178 1733 (do not present themselves. If the private network is, as many are, a virtual extended local area network) 1733 SB
300 2228 1722 (\(e.g.: no subnets or routing\) the screened host gateway will work without requiring any changes to the) 1722 SB
300 2278 1691 (local network, as long as the local network is using a legitimately assigned set of network addresses.) 1691 SB
399 2378 1581 (The zone of risk of a screened host gateway is restricted to the bastion host, and the screening) 1581 SB
300 2428 1780 (router, and the security stance of the screened host gateway is determined by the software running on that) 1780 SB
300 2478 1705 (system. If an attacker gains login access to the bastion host, there is a fairly wide range of options for) 1705 SB
300 2528 1659 (attacking the rest of the private network. In many ways, this approach is similar to the dual hosted) 1659 SB
300 2578 1777 (gateway, sharing similar failure modes and design considerations with respect to the software running on) 1777 SB
300 2628 276 (the bastion host.) 276 SB
32 0 0 50 50 0 0 0 46 /Times-Bold /font29 ANSIFont font
300 2728 376 (Screened Subnets) 376 SB
32 0 0 42 42 0 0 0 38 /Times-Roman /font32 ANSIFont font
399 2837 1689 (A screened subnet is usually configured with a bastion host as the sole point of access on the subnet.) 1689 SB
300 2887 1773 (The zone of risk is small, consisting of that bastion host or hosts, and any screening routers that make up) 1773 SB
1 #C
statusdict begin /manualfeed false store end
EJ RS
%%PageTrailer
%%PageResources: font Times-Bold
%%+ font Times-Italic
%%+ font Times-Roman
%%Page: 6 6
%%PageResources: (atend)
SS
0 0 25 11 798 1100 300 SM
32 0 0 42 42 0 0 0 38 /Times-Roman /font32 ANSIFont font
0 0 0 fC
300 269 1745 (the connections between the screened subnet, the Internet, and the private network. The ease of use and) 1745 SB
300 319 1652 (basic stance of the screened subnet will vary, but generally a screened subnet is appealing only for) 1652 SB
300 369 1787 (firewalls that are taking advantage of routing to reinforce the existing screening. This approach forces the) 1787 SB
300 419 1748 (all services through the firewall to be provided by application gateways, and forces the stance to be very) 1748 SB
300 469 1314 (strongly in the "That which is not expressly permitted is prohibited" category.) 1314 SB
399 569 1662 (If a screened subnet based firewall with inter-network routing blocked is attacked with an intent to) 1662 SB
300 619 1760 (destroy it, the attacker must reconfigure the routing on three networks, without disconnecting or locking) 1760 SB
300 669 1761 (himself out, and without the routing changes being noticed. No doubt this is possible, but it can be made) 1761 SB
300 719 1783 (very difficult by disabling network access to the screening routers, or by configuring the screening routers) 1783 SB
300 769 1742 (to only permit access from specific hosts on the private network. In this case, an attacker would need to) 1742 SB
300 819 1714 (break into the bastion host, then into one of the hosts on the private network, and then back out to the) 1714 SB
300 869 1233 (screening router - and would have to do it without setting off any alarms.) 1233 SB
399 969 1666 (Another advantage of screened subnets is that they can be put in place in such a way that they hide) 1666 SB
300 1019 1754 (any accidents of history that may linger on the private network. Many sites that would like to connect to) 1754 SB
300 1069 1705 (the Internet are daunted by the prospect of re-addressing and re-subnetting existing networks. With a) 1705 SB
300 1119 1734 (screened subnet with blocked inter-network routing, a private network can be connected to the Internet) 1734 SB
300 1169 1759 (and changed gradually to new subnet and network addresses. In fact, this approach has been observed to) 1759 SB
300 1219 221 (significantly ) 221 SB
32 0 0 42 42 0 0 0 38 /Times-Italic /font31 ANSIFont font
521 1219 177 (accelerate) 177 SB
32 0 0 42 42 0 0 0 38 /Times-Roman /font32 ANSIFont font
698 1219 1329 ( the adoption of new network addresses on loosely controlled private networks.) 1329 SB
300 1269 1737 (Users will be more receptive to changing their host addresses if they can realize the benefits of Internet) 1737 SB
300 1319 1640 (connectivity thereby, since hosts that are not correctly addressed cannot use the firewall properly.) 1640 SB
399 1419 1682 (In most other respects, the screened subnet is very much dependent on the suite of software running) 1682 SB
300 1469 1789 (on the bastion host. Screening a whole subnet provides functionality similar to the dual homed gateway or) 1789 SB
300 1519 1780 (screened host gateway; it differs primarily in the extra level of complexity in routing and configuration of) 1780 SB
300 1569 364 (the screening routers.) 364 SB
32 0 0 50 50 0 0 0 46 /Times-Bold /font29 ANSIFont font
300 1669 376 (Hybrid Gateways) 376 SB
32 0 0 42 42 0 0 0 38 /Times-Roman /font32 ANSIFont font
399 1778 1661 (Security through obscurity is not sufficient in and of itself, but there is no question that an unusual) 1661 SB
300 1828 1777 (configuration, or one that is hard to understand, is likely to give an attacker pause, or to make them more) 1777 SB
300 1878 1747 (likely to reveal themselves in the process of trying to figure out what they are facing. On the other hand) 1747 SB
300 1928 1785 (there is a real advantage to having a security configuration that is easy to understand, and therefore easier) 1785 SB
300 1978 1776 (to evaluate and maintain. Since the hybrid gateway is mentioned here in the category of "something else") 1776 SB
300 2028 1769 (no attempt will be made to describe the indescribable. Some hypothetical hybrids may serve to show how) 1769 SB
300 2078 1143 (hybrid gateways might differ from and be similar to the other types.) 1143 SB
399 2178 1652 (Let us postulate a hybrid gateway that consists of a box sitting on the Internet, which is capable of) 1652 SB
300 2228 1782 (routing traffic, but also maintains a complete notion of the state of every TCP connection, how much data) 1782 SB
300 2278 1769 (has gone across it, where it originated, and its destination. Presumably, connections can be filtered based) 1769 SB
300 2328 1013 (on arbitrarily precise rules, such as: "permit traffic between ) 1013 SB
32 0 0 42 42 0 0 0 38 /Times-Italic /font31 ANSIFont font
1313 2328 102 (host a) 102 SB
32 0 0 42 42 0 0 0 38 /Times-Roman /font32 ANSIFont font
1415 2328 476 ( on the private network and ) 476 SB
32 0 0 42 42 0 0 0 38 /Times-Italic /font31 ANSIFont font
1891 2328 195 (all hosts on) 195 SB
300 2378 166 (network b) 166 SB
32 0 0 42 42 0 0 0 38 /Times-Roman /font32 ANSIFont font
466 2378 396 ( on the Internet via the ) 396 SB
32 0 0 42 42 0 0 0 38 /Times-Italic /font31 ANSIFont font
862 2378 149 (TELNET) 149 SB
32 0 0 42 42 0 0 0 38 /Times-Roman /font32 ANSIFont font
1011 2378 901 ( service if and only if the connection originated from ) 901 SB
32 0 0 42 42 0 0 0 38 /Times-Italic /font31 ANSIFont font
1912 2378 102 (host a) 102 SB
32 0 0 42 42 0 0 0 38 /Times-Roman /font32 ANSIFont font
300 2428 1771 (between the hours of 9:00 am and 5:00 pm and log the traffic."  This sounds terrific, providing arbitrary-) 1771 SB
300 2478 1759 (level control with great ease of use, but some problems simply refuse to go away. Consider that someone) 1759 SB
300 2528 1757 (wishing to circumvent the firewall, who broke into the private network via an unguarded modem, might) 1757 SB
300 2578 1281 (very easily set up an arbitrary service engine that was piggybacked over the ) 1281 SB
32 0 0 42 42 0 0 0 38 /Times-Italic /font31 ANSIFont font
1581 2578 149 (TELNET) 149 SB
32 0 0 42 42 0 0 0 38 /Times-Roman /font32 ANSIFont font
1730 2578 359 ( port. This is actually) 359 SB
300 2628 530 (a fairly easy firewall to destroy.) 530 SB
399 2728 1658 (Another hybrid gateway might take advantage of various forms of protocol tunneling. Suppose the) 1658 SB
300 2778 1787 (requirement is to connect to the Internet with very tight restrictions, but that a high degree of connectivity) 1787 SB
300 2828 1775 (is required between the private network and an external network that is somewhat trusted \(For example a) 1775 SB
300 2878 1780 (corporate R&D department needs to be able to run X-windows applications on a CRAY supercomputer at) 1780 SB
1 #C
statusdict begin /manualfeed false store end
EJ RS
%%PageTrailer
%%PageResources: font Times-Bold
%%+ font Times-Italic
%%+ font Times-Roman
%%Page: 7 7
%%PageResources: (atend)
SS
0 0 25 11 798 1100 300 SM
32 0 0 42 42 0 0 0 38 /Times-Roman /font32 ANSIFont font
0 0 0 fC
300 269 1712 (another facility\).  The usual archetypal gateways discussed here could provide general purpose e-mail) 1712 SB
300 319 1732 (connectivity, but for secure point-to-point communications, an encrypted point-to-point virtual TCP/IP) 1732 SB
300 369 1673 (connection might be set up with the remote system, after users had authenticated themselves with a) 1673 SB
300 419 1760 (cryptographic smart card. This would be extremely secure, and might be made fairly easy to use, but has) 1760 SB
300 469 1590 (the disadvantage that the protocol driver needs to be added to every system that wants to share) 1590 SB
300 519 1705 (communication. Performance might be terrible, too, especially if the application in the example is X-) 1705 SB
300 569 1731 (windows based. It is hard to make any guesses about the failure mode of such a system, but the zone of) 1731 SB
300 619 1789 (risk is clearly and neatly delineated to being all the hosts which are running the tunneling protocol driver,) 1789 SB
300 669 1758 (and to which the individual user has smart card access. Some of this might be implemented in hardware) 1758 SB
300 719 478 (or in the routers themselves.) 478 SB
399 819 1611 (In the future, it is likely that the rapid growth of the Internet will fuel more development in this) 1611 SB
300 869 1751 (area, and we will see various hybrid gateways arise. The basic issues surrounding configuring a firewall) 1751 SB
300 919 973 (will probably remain the same as the ones discussed here.) 973 SB
32 0 0 50 50 0 0 0 46 /Times-Bold /font29 ANSIFont font
300 1019 577 (Other firewall-related tools) 577 SB
32 0 0 42 42 0 0 0 38 /Times-Roman /font32 ANSIFont font
399 1128 1648 (Active research and development is being done on tools that are designed to aggressively seek out) 1648 SB
300 1178 1776 (and identify weaknesses in an entire network, or to detect the patterns that might indicate when an attack) 1776 SB
300 1228 834 (is in progress. These tools range from the simple ) 834 SB
32 0 0 33 33 0 0 0 29 /Times-Roman /font32 ANSIFont font
1134 1237 39 ([5]) 39 SB
32 0 0 42 42 0 0 0 38 /Times-Roman /font32 ANSIFont font
1173 1228 901 ( checklist to complex "expert systems" with inference) 901 SB
300 1278 1797 (engines and elaborate rule bases. Many firewalls today run software that is designed to go forth and gather) 1797 SB
300 1328 1552 (information relating to possible attacks and their origins, often using and abusing tools like ) 1552 SB
32 0 0 42 42 0 0 0 38 /Times-Italic /font31 ANSIFont font
1852 1328 101 (finger) 101 SB
32 0 0 42 42 0 0 0 38 /Times-Roman /font32 ANSIFont font
1953 1328 73 ( and) 73 SB
32 0 0 42 42 0 0 0 38 /Times-Italic /font31 ANSIFont font
300 1378 109 (SNMP) 109 SB
32 0 0 42 42 0 0 0 38 /Times-Roman /font32 ANSIFont font
409 1378 22 (. ) 22 SB
32 0 0 33 33 0 0 0 29 /Times-Roman /font32 ANSIFont font
431 1387 72 ([6,7] ) 72 SB
32 0 0 42 42 0 0 0 38 /Times-Roman /font32 ANSIFont font
503 1378 1551 (Unless true artificial intelligence is developed, however, these tools cannot guard against an) 1551 SB
300 1428 1779 (unknown form of attack, since they cannot possibly match the creativity of a network vandal. While often) 1779 SB
300 1478 1795 (billed as being "proactive" they are in fact reactive, and generally will serve only to catch systems crackers) 1795 SB
300 1528 1793 (armed with last year's bag of tricks. Catching the small fry is still worth doing, but it is likely that they are) 1793 SB
300 1578 1735 (less of a threat than the fellow who is so eager to break into your network that he is doing research and) 1735 SB
300 1628 824 (development in new system cracking techniques.) 824 SB
32 0 0 50 50 0 0 0 46 /Times-Bold /font29 ANSIFont font
300 1728 725 (No Conclusions, but Observations) 725 SB
32 0 0 42 42 0 0 0 38 /Times-Roman /font32 ANSIFont font
399 1837 1612 (It is the privilege of a writer to use the last section of a publication to state his opinions and call) 1612 SB
300 1887 1658 (them "conclusions". In dealing with firewalls, it is simply not reasonable to say that any particular) 1658 SB
300 1937 1793 (approach is best, since there are so many factors that determine what the best firewall for a given situation) 1793 SB
300 1987 1727 (may be. Cost, corporate policy, existing network technology, staffing, and intra-organizational politics) 1727 SB
300 2037 1146 (may all easily outweigh the technical considerations presented here.) 1146 SB
399 2137 1687 (There are a few observations worth making about firewalls at a very general level. Firstly, a firewall) 1687 SB
300 2187 1730 (is a leverage-increasing device from a network management point of view. Rather than looking at it as) 1730 SB
300 2237 1726 ("all eggs in one basket," it can also be viewed as a trustworthy basket, and a single point from which a) 1726 SB
300 2287 1771 (very important security system can be controlled. The size of the zone of risk is crucial to the design; if it) 1771 SB
300 2337 1770 (is small, security can be maintained and controlled easily but if security is compromised, the damage can) 1770 SB
300 2387 1674 (be more severe. The ideal would be to have such strong host-based security that a firewall would be) 1674 SB
300 2437 1646 (erdundant. Systems administration costs, and a hard dose of reality prevents this ideal from being) 1646 SB
300 2487 185 (obtainable.) 185 SB
399 2587 1676 (A second important aspect of firewall building is that it is not something to undertake in a vacuum.) 1676 SB
300 2637 1799 (Many sites are connected with a simple firewall consisting of a screening router and nothing more because) 1799 SB
300 2687 1728 (someone told them that it was "secure enough." There is no such thing as "secure enough"; the old hot) 1728 SB
300 2737 1750 (rodder's adage about speed applies here: "speed is just a matter of money - how fast do you want to go?") 1750 SB
300 2787 1787 (In setting up a firewall one must trade off  time and money, security, and risk. One should no more install) 1787 SB
300 2837 1756 (a particular form of firewall because it is "secure enough" without understanding the trade-offs than one) 1756 SB
300 2887 1106 (should buy a used car that is "fast enough" without test driving it.) 1106 SB
1 #C
statusdict begin /manualfeed false store end
EJ RS
%%PageTrailer
%%PageResources: font Times-Bold
%%+ font Times-Italic
%%+ font Times-Roman
%%Page: 8 8
%%PageResources: (atend)
SS
0 0 25 11 798 1100 300 SM
32 0 0 42 42 0 0 0 38 /Times-Roman /font32 ANSIFont font
0 0 0 fC
399 269 1637 (Finally, it is important when approaching implementing a firewall to avoid the urge to start from) 1637 SB
300 319 1707 (scratch. System security is a lot like pregnancy; one is seldom only broken into a little bit, and it only) 1707 SB
300 369 1716 (takes a little mistake or a moment of inattention to find yourself in a delicate position. Leaning on the) 1716 SB
300 419 1696 (experiences of others, and learning from their mistakes and successes is very important. Setting up a) 1696 SB
300 469 1740 (firewall is definitely an area where having a wide background in experience to draw upon is important.) 1740 SB
300 519 1743 (The vandals on the network have a wide background in experience to draw upon as well, and a firewall) 1743 SB
300 569 1619 (administrator must communicate with others, and must keep up to date on other firewall related) 1619 SB
300 619 1751 (happenings on the network. Static defenses do not work unless they keep up with emerging tricks of the) 1751 SB
300 669 1182 (trade, or one's firewall may be the next Maginot Line, or Eben Emael.) 1182 SB
399 769 1586 (The purpose of this paper is not to discourage companies from connecting to the Internet. The) 1586 SB
300 819 1789 (Internet is an incredibly valuable resource, one which will in the coming years completely change the way) 1789 SB
300 869 1764 (people work and communicate on a global level. The benefits of connection far outweigh the costs, but it) 1764 SB
300 919 1702 (is wise to reduce the costs and potential costs as much as possible, by being aware of the dangers and) 1702 SB
300 969 573 (being as protected as is necessary.) 573 SB
32 0 0 50 50 0 0 0 46 /Times-Bold /font29 ANSIFont font
300 1069 230 (References) 230 SB
32 0 0 42 42 0 0 0 38 /Times-Roman /font32 ANSIFont font
399 1178 1447 ([1] Bill Cheswick, "The Design of a Secure Internet Gateway," USENIX proceedings.) 1447 SB
399 1278 592 ([2] Cliff Stoll, "The Cuckoo's Egg") 592 SB
399 1378 1064 ([3] Smoot Carl-Mitchell, and John Quarterman, "Building Inte) 1064 SB
399 1478 761 (rnet Firewalls," UNIX World, February 1992) 761 SB
399 1578 1674 ([4] Simson Garfinkel and Gene Spafford, "Practical UNIX Security," O'Reilly and Associates, June) 1674 SB
300 1628 84 (1991) 84 SB
399 1728 1377 ([5] Dan Farmer, "COPS and Robbers, UN*X System Security," Internet software.) 1377 SB
399 1828 1656 ([6] Bill Cheswick, "An Evening with Berferd in which a cracker is Lured, Endured, and Studied,") 1656 SB
300 1878 603 (USENIX proceedings, Jan 20, 1990) 603 SB
399 1978 1512 ([7] Marcus Ranum, "An Internet Firewall," proceedings of World Conference on Systems) 1512 SB
300 2028 549 (Management and Security, 1992) 549 SB
1 #C
statusdict begin /manualfeed false store end
EJ RS
%%PageTrailer
%%PageResources: font Times-Bold
%%+ font Times-Roman
%%Trailer
SVDoc restore
end
%%Pages: 8
% TrueType font name key:
%    MSTT310000 = 
%    MSTT310000 = 
%    MSTT310000 = 
%    MSTT310000 = 
%    MSTT310000 = 
%    MSTT310000 = 
%    MSTT310000 = 
%    MSTT310000 = 
%    MSTT310000 = 
%    MSTT31c1c4 = 2217DTimes New RomanF0000003a000002bc0000
%    MSTT31c1d1 = 2217DTimes New RomanF0000003a000001900000
%    MSTT31c1de = 2217DTimes New RomanF00000032000001900001
%    MSTT31c1eb = 2217DTimes New RomanF00000032000001900000
%    MSTT31c1f8 = 2217DTimes New RomanF00000032000002bc0000
%    MSTT31c205 = 2217DTimes New RomanF0000002a000001900000
%    MSTT31c212 = 2217DTimes New RomanF00000021000001900000
%    MSTT31c21f = 2217DTimes New RomanF0000002a000001900001
%    MSTT31c22c = 2217DTimes New RomanF0000002a000002bc0000
%%DocumentSuppliedResources: procset Win35Dict 3 1

%%DocumentNeededResources: font Symbol
%%+ font Times-Bold
%%+ font Times-Italic
%%+ font Times-Roman

%%EOF



Follow-Ups:
Indexed By Date Previous: Re: commercial firewall ads.
From: rsnyder @ hannibal . atl . ge . com (Bob Snyder)
Next: advertisements
From: mjr @ decuac . DEC . COM (Marcus J. "Buddy can you spare a clue?" Ranum)
Indexed By Thread Previous: Re: conversion to digest
From: Brent Chapman <brent @ GreatCircle . COM>
Next: Re: paper (in progress) - general overview of firewalls -
From: Dave Friedman <davidf @ ocf . Berkeley . EDU>

Google
 
Search Internet Search www.greatcircle.com